-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sample Keystone v3 policy exposes privilege escalation vulnerability
- ---
### Summary ###
The policy.v3cloudsample.json sample Keystone policy file combined with
the underlying mutability of the domain ID for user, group, and project
entities exposed a privilege escalation vulnerability. When this
sample policy is applied a domain administrator can elevate their
privileges to become a cloud administrator.
### Affected Services / Software ###
Keystone, Havana
### Discussion ###
Changes to the Keystone v3 sample policy during the Havana release cycle
set an excessively broad domain administrator scope that allowed
creation of roles ("create_grant") on other domains (among other
actions). There was no check that the domain administrator had
authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and
project entities with the sample v3 policy resulted in a privilege
escalation vulnerability. A domain administrator could execute a series
of steps to escalate their access to that of a cloud administrator.
### Recommended Actions ###
Review the following updated sample v3 policy file from the OpenStack
Icehouse release:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
You should ensure that your Keystone deployment appropriately reflects
that update. Domain administrators should generally only be permitted
to perform actions against the domain for which they are an
administrator.
Optionally, review the recent addition of support for immutable domain
IDs and consider it for applicability to your Keystone deployment:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTUCuwAAoJEJa+6E7Ri+EVvxwIAKsOIp4gBotwIO9yxTf3y4wF
C7nVi/y5JwwQmzxAHGtMCBn/M6xH8GygMz0P4HWO8B9cI8HWdxpFHy+/504ShTLV
E+ZMNbuJJ6FriKy6HASonfmleHguCT8fWsv5FvHjKsZnBjEY54OYP7Xnw4Kio4rZ
TpCja+vc3IrDnCwqoMHySjD8qSWZLsuYr/klo+AUEt0lry06Zr62Tgb7S6sqYrBn
mcbO0VJ0+89frcyVD4v6aONNX9OcqkQfH0lnriWT2Vyax6+s4DnOqAvsFy8Rdqdf
xWGBkRa7ejDUel5Jgzh9GUwrsk2tpcIpiHh1qXGjgTr8K8xmVu6zaxHE7Cm8wHY=
=l8Lr
-----END PGP SIGNATURE-----